1. Field of the Invention
This invention pertains in general to computer security and in particular to detection of malicious software.
2. Description of the Relayed Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Malware can, for example, surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
Modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Such malware is difficult for security software to detect because there are fewer instances of the same malware, and the security software might not be configured to recognize it. Moreover, even mass-distributed malware is becoming harder to detect because the malware can contain polymorphisms designed to evade detection.
In response to the increasing difficulty of detecting malware, security software is evolving toward white list-based security. Under a white list approach, only software appearing on a white list of known legitimate software is allowed to execute on the computer. Software not appearing on the white list is treated as suspicious and might be prohibited from executing.
However, the white list approach has its own drawbacks. It is difficult, if not impossible, to maintain a comprehensive white list due to the large amount of legitimate software in the world today. When the security software encounters software that is not on the white list, it typically asks the user of the computer whether to execute the software. Querying the user can defeat the purpose of the security software since it simply transfers the security issue back to the user. In addition, malware can defeat white list-based security by subverting software appearing on the list. Therefore, there is a need in the art for a way to detect malware that does not suffer from these shortcomings.